We help IT Professionals succeed at work.

Help Adding 2nd Sub-Interface For VPN (Cisco 2500 series)

jguy07
jguy07 asked
on
I'm no Cisco guru, but I've been assigned with the task of setting up a sub-interface for our VPN.  Here's some information:

Need a sub interface
DLCI 101

My interface (the sub) needs IP of 10.129.2.58  (this is ISP's private network in case you are wondering)

I need to add an IP route to 10.128.0.0

With all this in mind, could someone please "baby step" a novice through this?  I'll dump all my points (that I have left) for this one.  

I have MANY sub interfaces already installed on this router, so I can NOT loose their config while doing this, if so........I'll have to look for another place of employment since they connect to all of our branch offices!!  LOL  Here's my config:

User Access Verification
Using 3839 out of 32762 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Tuscaloosa
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
ip name-server 207.230.75.34
ip name-server 207.230.75.50
ip name-server 10.0.0.2
!
!
!
!
interface Ethernet0
 ip address 10.0.0.12 255.255.255.0
 ip directed-broadcast
 ip nat inside
 bridge-group 1
!
interface Serial0
 bandwidth 512
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 fair-queue 64 256 0
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 description connected to Decatur
 ip address 192.168.100.1 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay interface-dlci 200
 bridge-group 1
!
interface Serial0.2 point-to-point
 description connected to MtVernon
 ip address 192.168.100.5 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay interface-dlci 300
 bridge-group 1
!
interface Serial0.3 point-to-point
 description connected to Mobile
 ip address 192.168.100.9 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay interface-dlci 400
 bridge-group 1
!
interface Serial0.4 point-to-point
 description connected to Montgomery
 ip address 192.168.100.13 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay interface-dlci 601
 bridge-group 1
!
interface Serial1
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial1.1 point-to-point
 description Connected to Internet
 ip address 10.22.4.130 255.255.255.252
 no ip directed-broadcast
 ip nat outside
 frame-relay interface-dlci 100
!
router rip
 version 2
 passive-interface Serial1.1
 network 10.0.0.0
 network 192.168.100.0
 no auto-summary
!
ip nat pool Tuscaloosa-natpool-41600 209.16.241.33 209.16.241.46 netmask 255.255
.255.240
ip nat inside source list 1 pool Tuscaloosa-natpool-41600 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1.1
ip route 10.0.0.0 255.255.255.0 Ethernet0
ip route 192.168.2.0 255.255.255.0 192.168.100.2
ip route 192.168.3.0 255.255.255.0 192.168.100.6
ip route 192.168.4.0 255.255.255.0 192.168.100.10
ip route 192.168.6.0 255.255.255.0 192.168.100.14
no ip http server
!
access-list 1 permit 192.168.100.0 0.0.0.3
access-list 1 permit 192.168.100.4 0.0.0.3
access-list 1 permit 192.168.100.8 0.0.0.3
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.100.12 0.0.0.3
access-list 1 permit 192.168.6.0 0.0.0.255
snmp-server engineID local 00000009020000D058AD278D
snmp-server community public RO
bridge 1 protocol ieee
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password 7 1108140D1407
 login
!
end


With this config, would I be right in assuming that I need to build another sub interface called Serial 0.5 with a  description of "Connected to VPN"????

Please advise.

thanks!!

Comment
Watch Question

Author

Commented:
PS:  My subnet mask for the config is:255.255.255.252

Author

Commented:
PS:  My subnet mask for the config is:255.255.255.252
Commented:
There are some questions about the best config for this, but you'd add the following (from the enable prompt):

interface serial0.5 point-to-point
description Link to ISP's VPN service
ip address 10.129.2.58 255.255.255.252
no ip directed broadcast
frame-relay interface-dlci 101
ip nat inside

ip route 10.128.0.0 255.255.0.0 10.129.2.57


Here's the upshot -

1.)  The rest of your subinterfaces are set up to bridge all traffic from ethernet0, as well as the other sites.  We're assuming that you don't want to bridge to your VPN provider, but rather route.

2.)  We're also assuming that 10.128.0.0 is a 16-bit prefix (e.g. 255 class-C's), which will be dynamically assigned to your remote users.  

3.)  If #2 is true and you want to have the VPN users able to access the Internet, then you also need to add:

access-list 1 permit 10.128.0.0 0.0.255.255

(which will allow NAT to translate your VPN users' addresses)  

4.)  I'm also assuming that your VPN provider is using the lower half of the /30 you provided.  As such, his F/R IP address would be 10.129.2.57 (..while yours is 58).

Let me know if you'd like me to dig into any more detail.

Good luck!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.